Posted on
by

Various outlets have reported on the recent appearance of evangelical spam—unsolicited bulk email which promotes religious messages instead of advertising products. It’s been pointed out that since CAN-SPAM refers to commercial mail it can’t be used to stop people who bombard you with other types of messages.

I’ve seen 419 scams with religious trappings for months. These are the usual “Help me smuggle $20 million out of my country” ploys with the added twist of “Oh, I’m a missionary” or “I’ll donate it to an orphanage” or “You can trust me, I’m a Christian,” usually tied to a middle-eastern nation where Christians are in the minority (because Nigeria is so passé). Of course the only thing the scammers really worship is the almighty X-MILLION US DOLLARS. It’s a cheap sympathy ploy, nothing more, made obvious by the fact that, well, it’s a scam!

Today I saw a new variation on that tactic: instead of appealing to Christians, this one was appealing to Muslims. It was all about some Muslim convert in Cuba who had been abandoned by his Catholic family and just needed to transfer $12 million out of the country… all sent from a UK-based email account.

On a side note, I’ve found myself wondering lately why so many of these seem to come from European ISP Tiscali, particularly Tiscali UK. (One came through yesterday with 119 copies of the standard footer!) I assume they must provide easy-to-get email accounts, or perhaps connectivity for a lot of Internet cafés. It also suggests that quite a few of these scammers aren’t anywhere near the (mostly) third-world nations where they claim to live.

Posted on
by

CAN-SPAM one year later: more spam than ever. Spam has more than doubled from 15 billion messages in 2003 to an estimated 35 billion in 2004. Is anyone really surprised? From the article: “The FTC says the goal of the act was never to cut down on spam but to give recipients control via the opt-out component.” Hmm, that might be part of why groups like Spamhaus were calling it the “You Can Spam” act. (via The War on Spam)

Webroot identifies the Top 10 “Most Unwanted” Spyware programs, using the “P-I Index…. P is for prevalence, I is for insidiousness.” The “winners” include pop-up generators, keystroke loggers, autodialers and the like. (via Aunty Spam’s Net Patrol)

Finally, there are several fixes and work-arounds for the pop-up window spoofing vulnerability I wrote about last week. There’s the all-inclusive method: close all other browser windows. Netcraft reports that Opera has issued a fix (7.54u1) and Safari is safe if pop-up blocking is enabled. I just got an email indicating that KDE has released a fix for Konqueror (expect that to start hitting distributions this week). No word yet on Firefox or IE, and while Microsoft has its monthly patch day tomorrow, I wouldn’t expect this to show up quite that soon.

Posted on
by

Looking up past a bronze statue of a woman, seen from behind, toward an ornately carved balcony set in the wall of a stone building with three levels or peaked windows and doors. Vines trail from a wooden walkway the next level up from the balcony. It seems that the city of Verona wants people to text-message “Juliet” (of Romeo and…) [note: originally linked to Reuters] instead of writing notes and sticking them to the walls with gum. (Too bad it wasn’t in Singapore.) Apparently the notes are damaging the walls of the 13th-century building, and they want to set up a screen and have people send text messages to it using the phone.

There’s a small courtyard with a balcony, a gift shop, and a statue of the Shakespearian heroine. According to the article it was originally an inn, but has long been associated with the Capulets. “Acquired by the council a century ago, it was officially designated ‘the house of Juliet’ in 1935.” I don’t recall seeing any notes on the walls when I was there in 1999. Either I’ve just forgotten, or it really has gotten worse in the last five years.

Posted on
by

Here’s an online security story to freak you out: Security firm Secunia has found a loophole [Edit: originally linked to Yahoo! News] in basic browser window handling that can let any site plug its code into a pop-up window generated by any other site. That’s not just ads, that includes pop-up help files, password dialogs, you name it.

They even have a demonstration: Start the code going on their site, open up Citibank, then click on a button on the Citibank site and it’ll open a page from Secunia.

And it works in every major browser, for the simple reason that it uses standard functionality that no one has questioned until now: The ability to open a page in a particular frame or window. All you need to know is the name of that window, and you’re set. As long as it hides the toolbars (SOP for pop-up windows of all stripes), the user will never notice. There is a workaround, at least for Firefox and Mozilla users, but it’s ugly: prevent sites from hiding the location bar.

Actually, the functionality has been questioned before: last July, when Secunia found a similar problem in frames. The solution for that was to prevent a page in one window (or tab) from accessing frames in another. But it’s a little more challenging to decide which pages should be allowed to update a top-level window.

In the short term, sites wanting to protect themselves from being hijacked can probably help by randomizing the names of their pop-up windows. In the long term, browsers are going to have to figure out how to separate windows that should have the ability to load new pages from windows that shouldn’t, knowing that they’ll undoubtedly end up breaking some websites in the process.

(via The War on Spam)